Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with unknown spyware


  • Please log in to reply
7 replies to this topic

#1 Sartana

Sartana

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 31 July 2010 - 01:47 PM

I've got ZoneAlarm (firewall) installed and it keeps telling me something's been blocked from accessing my computer. I'm also redirected to random sites when clicking links in Google, and pages pop-up sending me to a spyware removal program (sorry, cant remember its name).

Here's my DDS log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Trevor at 12:49:06.12 on Sat 07/31/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1791.1198 [GMT -7:00]

FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ISP50\bin\bartshel.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\SpywareGuard\sgmain.exe
svchost.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Media Pl

Attached Files



BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:34 PM

Posted 08 August 2010 - 06:12 PM

hi Sartana,

Your post is a few days old. If you still need help simply reply back.

How Can I Reduce My Risk to Malware?


#3 Sartana

Sartana
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 08 August 2010 - 08:44 PM

I do. I found out I'm being redirected to 'Registry Defender', if that helps.

Sorry about the half-log; I cant post correctly for some reason.

#4 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:34 PM

Posted 08 August 2010 - 09:24 PM

ok we will get a couple of downloads to use.
The first is combofix:

There is a guide to read first before using combofix. Read through the guide then apply the directions on your own machine. Please post the Combofix log.
Guide to using Combofix

Next is TDSSKiller;

Please download TDSS Killer.exe and save it to your desktop
Double click to launch the utility. click the start scan button.

Once the scan completes you can click the continue button.

"The utility will automatically selects an action (Cure or Delete) for known malacious objects. A suspicious object will be skipped by default."

"After clicking Next, the utility applies selected actions and outputs the result."

"A reboot might require after disinfection."

A report will be found in your Root drive Local Disk (C:) as TDSSKiller.2.4.0.0_01.08.2010_17.32.21_log.txt (name, version, date, time)
Please post the log report

since you already have Malwarebytes you can check it for updates and run it as well after the above.

How Can I Reduce My Risk to Malware?


#5 Sartana

Sartana
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 09 August 2010 - 10:26 AM

Here's my combofix log:

ComboFix 10-08-08.02 - Trevor 08/09/2010 10:42:05.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1791.1436 [GMT -7:00]
Running from: c:\documents and settings\Trevor\Desktop\ComboFix.exe
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\65.tmp
C:\67.tmp
C:\69.tmp
C:\6A.tmp
c:\documents and settings\Trevor\Local Settings\Application Data\rhreghdnj\wtppjsitssd.exe
c:\program files\Internet Explorer\SET10E.tmp
c:\program files\Internet Explorer\SET113.tmp
c:\program files\Internet Explorer\SET134.tmp
c:\program files\Internet Explorer\SET139.tmp
c:\program files\Internet Explorer\SET1AC.tmp
c:\program files\Internet Explorer\SET1AD.tmp
c:\program files\Internet Explorer\SET1AF.tmp
c:\program files\Internet Explorer\SET55.tmp
c:\program files\Internet Explorer\SET5A.tmp
c:\program files\Internet Explorer\SET7E.tmp
c:\program files\Internet Explorer\SET83.tmp
c:\program files\Internet Explorer\SETA7.tmp
c:\program files\Internet Explorer\SETAC.tmp
c:\program files\Internet Explorer\SETD3.tmp
c:\program files\Internet Explorer\SETD4.tmp
c:\program files\Internet Explorer\SETD6.tmp
c:\program files\Internet Explorer\SETFA.tmp
c:\program files\Internet Explorer\SETFF.tmp
c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\explorer(2).exe
c:\windows\system32\a.exe
c:\windows\system32\dwvthlgs.dll
c:\windows\system32\Ijl11.dll
c:\windows\system32\ndrumtol.ini
c:\windows\system32\qwealw.dll
c:\windows\system32\rmhxomqt.dll
c:\windows\system32\setup2.exe
c:\windows\system32\sqehvnjn.ini
c:\windows\Tasks\bxoonwbf.job
c:\windows\Temp\tmp3.tmp
c:\windows\wc98pp.dll
c:\windows\wiaserviv.log

Infected copy of c:\windows\system32\drivers\ohci1394.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-07-09 to 2010-08-09 )))))))))))))))))))))))))))))))
.

2010-08-09 17:32 . 2010-08-09 17:32 388608 ----a-w- c:\windows\system32\CF23957.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-09 17:51 . 2009-12-09 01:27 -------- d-----w- c:\program files\Common Files\Akamai
2010-08-09 17:41 . 2006-09-04 00:31 16114 ----a-w- c:\windows\system32\tablet.dat
2010-08-08 04:16 . 2006-10-16 04:49 -------- d-----w- c:\documents and settings\Trevor\Application Data\OpenOffice.org2
2010-08-01 03:54 . 2010-08-01 03:55 1251840 ----a-w- c:\windows\Internet Logs\xDB8B.tmp
2010-08-01 03:54 . 2010-08-01 03:55 464896 ----a-w- c:\windows\Internet Logs\xDB8A.tmp
2010-07-10 22:28 . 2010-07-10 22:29 1207808 ----a-w- c:\windows\Internet Logs\xDB89.tmp
2010-07-08 16:48 . 2010-07-08 16:49 3411968 ----a-w- c:\windows\Internet Logs\xDB87.tmp
2010-07-08 16:47 . 2010-07-08 16:49 3411968 ----a-w- c:\windows\Internet Logs\xDB88.tmp
2010-07-08 01:40 . 2010-07-08 01:42 3410432 ----a-w- c:\windows\Internet Logs\xDB86.tmp
2010-07-08 01:40 . 2010-07-08 01:42 24064 ----a-w- c:\windows\Internet Logs\xDB85.tmp
2010-07-07 13:30 . 2010-07-07 13:31 3411456 ----a-w- c:\windows\Internet Logs\xDB84.tmp
2010-07-07 13:30 . 2010-07-07 13:31 1792512 ----a-w- c:\windows\Internet Logs\xDB83.tmp
2010-07-07 13:29 . 2010-07-07 13:29 452104 ----a-w- c:\documents and settings\Trevor\Application Data\Real\Update\setup3.12\setup.exe
2010-07-04 21:30 . 2010-07-04 21:31 3403776 ----a-w- c:\windows\Internet Logs\xDB82.tmp
2010-06-26 00:21 . 2010-06-26 00:21 19384024 ----a-w- c:\windows\Internet Logs\vsmon_on_demand_2010_06_25_17_20_13_full.dmp.zip
2010-06-24 12:46 . 2010-03-06 07:53 439816 ----a-w- c:\documents and settings\Trevor\Application Data\Real\Update\setup3.10\setup.exe
2010-06-17 00:43 . 2005-12-30 12:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-15 15:48 . 2008-01-14 09:13 -------- d-----w- c:\program files\Black Isle
2010-06-13 21:53 . 2010-06-13 21:53 19326824 ----a-w- c:\windows\Internet Logs\vsmon_on_demand_2010_06_13_14_52_31_full.dmp.zip
2010-06-05 18:33 . 2010-06-05 18:32 19238216 ----a-w- c:\windows\Internet Logs\vsmon_on_demand_2010_06_05_11_31_45_full.dmp.zip
2010-06-03 23:18 . 2010-06-03 23:19 3338752 ----a-w- c:\windows\Internet Logs\xDB81.tmp
2008-09-26 11:54 . 2008-09-26 11:54 59970 --sha-w- c:\windows\system32\kahowuhi.dll.tmp
2007-11-16 06:09 . 2007-11-16 06:09 1056 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-09-29 07:37 . 2008-09-29 07:37 63122 --sha-w- c:\windows\system32\lanadata.dll.tmp
2008-09-29 07:37 . 2008-09-29 07:37 63122 --sha-w- c:\windows\system32\logapaju.dll.tmp
2008-09-29 07:37 . 2008-09-29 07:37 63122 --sha-w- c:\windows\system32\mokehohi.dll.tmp
2008-09-26 11:54 . 2008-09-26 11:54 59970 --sha-w- c:\windows\system32\tagetega.dll.tmp
2008-09-26 11:54 . 2008-09-26 11:54 59970 --sha-w- c:\windows\system32\vabuwida.dll.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-05-15 1103216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Bart Station"="c:\program files\ISP50\hta\station.sbrt" [X]
"SoundMan"="SOUNDMAN.EXE" [2005-07-22 81920]
"Zone Labs Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-06-19 968696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-28 13918208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-28 86016]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-30 185872]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 53760]

c:\documents and settings\Trevor\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2006-9-3 114688]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan.lnk
backup=c:\windows\pss\McAfee Security Scan.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=c:\windows\pss\NkbMonitor.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TabUserW.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TabUserW.exe.lnk
backup=c:\windows\pss\TabUserW.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Trevor^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Trevor\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Trevor^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=c:\documents and settings\Trevor\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 15:58 611712 -c--a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-08-08 12:11 490952 -c--a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
2009-09-03 21:17 3342336 -c--a-w- c:\program files\Electronic Arts\EADM\Core.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
2009-05-15 02:03 1103216 ----a-w- c:\program files\Download Manager\DLM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2006-10-30 17:36 256576 -c--a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 17:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 22:09 413696 -c--a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-12-29 07:03 136600 -c--a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-09-30 08:13 185872 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
2006-02-02 01:33 1880064 -c--a-w- c:\program files\verizon\Servicepoint\VerizonServicepoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\trevor_the_vengeful\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\trevor_the_vengeful\\half-life 2\\hl2.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1141796478\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\verizon\\Servicepoint\\VerizonServicepoint.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 3.0\\PhotoshopElementsFileAgent.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\peggle extreme\\PeggleExtreme.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"1084:TCP"= 1084:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 5:00 AM 14336]
S3 pfsvgae;pfsvgae;\??\c:\docume~1\Trevor\LOCALS~1\Temp\pfsvgae.sys --> c:\docume~1\Trevor\LOCALS~1\Temp\pfsvgae.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S4 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 4:47 AM 98304]
S4 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [10/4/2004 3:40 AM 118784]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/21/2006 3:37 PM 717296]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/17/2009 12:25 AM 24652]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-08-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} -
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Trevor\Application Data\Mozilla\Firefox\Profiles\igml1mra.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-mojqywbx - c:\documents and settings\Trevor\Local Settings\Application Data\rhreghdnj\wtppjsitssd.exe
HKLM-Run-nwiz - c:\program files\NVIDIA Corporation\nView\nwiz.exe
HKLM-Run-mojqywbx - c:\documents and settings\Trevor\Local Settings\Application Data\rhreghdnj\wtppjsitssd.exe
MSConfigStartUp-nwiz - nwiz.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
AddRemove-CombiMovie (Freeware)_is1 - c:\program files\bobyte\CombiMovie\unins000.exe
AddRemove-Dark Omen Net Demo - c:\program files\Dark Omen Net Demo\Uninst.isu
AddRemove-NVIDIA nView Desktop Manager - c:\program files\NVIDIA Corporation\nView\nViewSetup.exe
AddRemove-VZBB - c:\program files\VZBB Toolbar\Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-09 10:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1454471165-436374069-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:7e,21,5b,66,1a,3a,67,72,53,a4,05,8d,27,39,61,d8,42,2d,3e,9c,4b,
89,0c,d5,98,fc,eb,82,8e,2e,7d,34,f4,f0,19,04,49,89,5a,e8,47,e7,2d,34,b7,96,\
"rkeysecu"=hex:64,b6,bd,e1,3e,80,9e,c4,40,b4,90,83,87,8e,33,49
.
Completion time: 2010-08-09 10:53:29
ComboFix-quarantined-files.txt 2010-08-09 17:53
ComboFix2.txt 2009-01-02 11:20
ComboFix3.txt 2008-12-25 09:10
ComboFix4.txt 2008-12-22 07:13

Pre-Run: 30,445,690,880 bytes free
Post-Run: 32,871,096,320 bytes free

- End Of File - - 5AE336563ABA6E3910BDCE9579EE26D7









Both TDSSkiller and Malwarebytes came up clean.
Nothing trying to get at my computer for the moment.

Think I might be good?

#6 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:34 PM

Posted 09 August 2010 - 05:40 PM

QUOTE
Think I might be good?

Yes looks that way now. We will use combofix;

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:

CODE
File::
c:\windows\system32\kahowuhi.dll.tmp
c:\windows\system32\lanadata.dll.tmp
c:\windows\system32\logapaju.dll.tmp
c:\windows\system32\mokehohi.dll.tmp
c:\windows\system32\tagetega.dll.tmp
c:\windows\system32\vabuwida.dll.tmp


Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on your desktop
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log.

How Can I Reduce My Risk to Malware?


#7 Sartana

Sartana
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 13 August 2010 - 08:07 PM

I did as directed and it looked like all those items were removed. Exited the log before saving to desktop - is it automatically saved somewhere else?

Other than that, no signs of infection.

#8 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:34 PM

Posted 15 August 2010 - 05:46 PM

ok good. sorry for the delay. If you are not getting redirected anymore we can finish up and call it quits.

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users